Details

Abstract

'Cyberinsurance' is a broad industry term indicating a corporate liability insurance covering damages due to security breaches of the IT corporate infrastructure. It is a booming market that raises significant expectations: several policy makers (e.g. the UK Paymaster General and the US Senate Committee on Security), and several cyber experts (e.g. Bruce Schneier) have heralded it as a mechanism for efficiently valuing the cost of cyber attacks and to act as an effective substitute government action. Whilst the effect of purchasing insurance on the behavior of individuals or firms has been studied for more than four decades, the unique, adaptive characteristics of cyber attacks make past findings not necessarily applicable.

In this talk I will present a very general model of heterogeneous firms, making risk averse decisions facing losses from cyber attacks conducted by strategic adversaries in a Cournot competition. We demonstrate that whilst the presence of actuarially fair insurance increases the aggregate utility of target firms, the presence of insurance does *not* necessarily increase the security expenditures wrt those mandated by a benevolent social planner. Furthermore, we show that when insurance is provided by a monopolist insurer mandating firms security expenditure (as it has been proposed) aggregate security expenditure is predicted to fall dramatically (and the number of attackers to increase). In other words, delegating to cyberinsurers the policy maker role of regulating security expenditures might yield a digital tragedy of the commons.

Joint work with Julian Williams and Joe Swierzbinski

Bio

Fabio Massacci is a full professor at the University of Trento (IT). He has a Ph.D. in Computing from the University of Rome La Sapienza in 1998. He has been in Cambridge (UK), Toulouse (FR) and Siena (IT). He has published more than 250 articles in peer reviewed journals and conferences and his h-index is 35+ and f(Scopus,Scholar,WOS). His current research interest is in empirical methods for cyber security. He was the European Coordinator of the project SECONOMICS on socio-economic aspects of security. Part of the ideas behind this research has been now incorporated by the Common Vulnerability Scoring Standard (CVSS) v3, just released in June 2015. In 2015 he also received the IEEE Requirements Engineering 10 years most influential paper award for his research on security requirements engineering. He is now working on the SESAR EMFASE project on empirical validation of security risk assessment in air traffic management.